When there have been a couple of releases because idonthavethetimetoupdateeverysingletime?

Now?

The best time is right now. Spammers are taking advantage of exploits in old versions of WordPress and inserting hidden spam links in posts and using WordPress powered blogs to distribute viruses and malicious software. They’re also using these exploits to run their own code on your server.

This morning I spotted an Irish blog in my feedreader that had hidden links added to it. I contacted the blog owner and she’s going to upgrade her blog soon.

The best way of stopping them is by downloading the latest version of WordPress which at the moment is 2.3.3 2.5 and if you use use WordPress MU you should download version 1.3.3 of that. Once you’ve upgraded change the passwords of all your users. On WordPress MU sites, it’s probably enough to ask any user with site_admin access to change their password. To make your life easier, try the WordPress Automatic Upgrade plugin. I haven’t used it yet but it works for a lot of people.

If you suspect that your blog has been compromised and you have already upgraded then please change your passwords and overwrite your current install with the files from a newly downloaded copy of WordPress. It’s worth checking that no extra php files have been added too.

Running your own blog is about more than just writing and contributing to the blogosphere conversation. You also have an important responsibility to be a good ‘net citizen by keeping your software up to date.

If you absolutely cannot upgrade straight away then adding a .htaccess file in your wp-admin/ directory and adding another username and password level of authentication might help. This page describes how to do that, but it is no substitute for upgrading to WordPress 2.3.3 2.5. You should delete you xmlrpc.php too, thus depriving yourself of pingbacks and desktop blog posting abilities.

Update! To find any posts with hidden links search your posts for any of the following:

display:none;

height:0

You can use the Search box on the posts edit page, or phpMyAdmin.
Open up phpMyAdmin, go to wp_posts, click Search and in the box next to post_content type %string% where string is one of the two options above.
That may return posts that don’t have any hidden links but it’s better to be safe than sorry.

This is a security release to address issues brought to our attention by Alexander Concha who I must thank for his unfailing patience while we sorted out this release.

Edit: this release is based on WordPress 2.2.3. Unfortunately a last minute bug crept in where post titles looked like post slugs when viewed on your blog. I quickly rolled together a new minor release, 1.2.5a which has an updated wpmu-functions.php. The download page has been updated too. If you have already updated your install, all you have to do is go to this page and download a new wpmu-functions.php and place it in your wp-includes directory. Apologies for the mix up!

Edit 2: I forgot to mention yesterday that a lot of the functions that were in the files in mu-plugins/ have been moved into wp-includes/wpmu-functions.php so move those files out of the way if you get errors about functions already existing. As stated previously on the forum, kses.php is synced with the one in WordPress which means class and id will be stripped from posts. If you’re happy for your users to use the class and id tag attributes then the following function will come in handy. Put it in mu-plugins/kses.php where it will be activated automatically.

The observant among you will notice I forgot to assign the result of the filter in wp-includes/kses.php. This has since been fixed but it was too late for this release. Making it a global in the function above was a suitable work around.

On the off chance that youhaven’theardthenews yet. You should upgrade your WordPress install straight away. Don’t hesitate, do it now. Don’t pause to grab a cup of coffee. If you’re just waking up then rub the sleep from your eyes and jump to the download page and grab WordPress 2.1.2.

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Users running from svn code aren’t affected, but then you probably already knew that already didn’t you? You should be subscribed to Hackers and Testers lists.

Don’t worry if you’re running a WordPress MU site. That isn’t affected, although you should upgrade to the latest 1.1.1 release as that fixes a number of problems with 1.0 as well as merging in some security fixes from WordPress core.

On January 20th I’ll be speaking at BarCamp South East on the subject of WordPress.com and WordPress MU. The talk is titled, “WordPress.com – running the biggest wpmu site in the world” which is vague enough that I could talk about anything but I’d like to know what you want to hear.

Public speaking isn’t my strong point, I prefer to be behind the keyboard, or looking through a camera lens but sometimes you have to push yourself to do unfamiliar things. Here’s my go at public speaking.

Talks will be in 45 minute slots and I would like to make mine more of a discussion forum like the WPMU talk we had at WordCamp way back in August last year. It went really well and everyone got something out of it.

Subjects I’m considering include:

Merging code from WP core which is horribly exciting, have you ever seen vimdiff in action?

Site stats – did you know we publish them?

Hardware – server porn. How do we handle the load generated by Slashdots, Diggs, and almost 600,000 blogs?

Hooks and plugins – new hooks in the signup process and wpmu admin backend.

Anyone interested in working from home and virtual company issues? Automattic has employees in at least four countries.

So, if you’ll be there I want to hear from you. If you won’t, I still want to hear from you because I’m sure Bernie or someone will record the talk and put it up online.

Matt took time out to update the feedback form in WordPress MU and WordPress.com today! Here’s a taster of what it looks like:

See the “Feedback” link above there? Hit that to send feedback to the admins of your WPMU site.

This is the feedback form that appears. It’s already being used on WordPress.com to great affect, reporting bugs and suggestions from users to the admins.

Thank you for your feedback. The great thing about this is that you can send feedback about the current page without disturbing what you’ve been doing. It’s sent to the server via an AJAX request and happens without refreshing the page!

Lots of people are asking about WordPress.com, fortunately for them there has been lots said about it already, both on the wp-hackers list, and on the WPMU blog. Usually without much feedback which I have found strange, but there you go!
The question comes up on IRC frequently, and here’s what I said a short while ago:

<donncha> it’s just WordPress.. if you already run a WordPress blog then you know a lot about what WordPress.com will be 🙂

It’s that, but also more. WordPress.com is going to be a great site and a shining example of what can be built on GPL software!

Hopefully you should see this site run a little faster, I’ve moved most database accesses to inside the cache loop.
For most users caching and processing of requests should be faster as the whole WordPress posts-loop is now cached, however there is a trade off. I can’t check if there are multiple or single posts on a page so every page, including the front page, is cached with your comment credentials and user login (if any). In other words, if I visit the front page and then you do, the front page won’t be cached for you, but if two anonymous users visit the second visitor will get a completely cached copy.
If you see any problems please leave a comment on this post, or email me at donncha @ linux.ie!

A bit later…I’m watching the logs and I’m glad I made that change. We’re being hit by 240 280 attempts at referer spamming from sex 4singles.com. After the first hit, all they get served is static html! 🙂

Here’s an updated list of recent spam to this list. It’s updated every few minutes so you can see a snippet of the spam that’s being deleted automatically here by Kitten’s Spaminator and diligent updating of keywords. Go wild!

I need to think about this a bit more. WPMU supports multiple blogs, run by multiple different people, all of whom can update their spam word lists. Wouldn’t it be useful to have a “I trust the following blogs” list so that spam words can be shared between blogs?

Slightly related, I started using PEAR Cache to cache frequently used database calls. Stuff like the “last posts” and other plugins now use that. It’s working very well and load on the server has gone down!

Oh, and when you’re updating to the latest CVS version of WordPress, a database table has changed. I ran the following to update my tables:cd wp-inst/wp-content/blogs; for i in *; do echo "ALTER TABLE wp_"$i"_users CHANGE dateYMDhour user_registered DATETIME DEFAULT '0000-00-00 00:00:00' NOT NULL "| mysql wordpress_db; done

Donncha Ó Caoimh is a software developer at Automattic and WordPress plugin developer. He posts photos at In Photos and can also be found on Google+ and Twitter.

Search for:

Subscribe via Email

Subscribe and receive notifications of new posts by email.

Join 9,476 other subscribers

Email Address

Passwords

I use Lastpass to record and fill in my browser passwords. Never, ever use the same password twice!

The Golden Compass
First of a three part fantasy/sci-fi series. Some people hate it because of it's anti God message but it's a great read. I found it hard to put down. There's even a Snopes article about the film adaptation.